FinTech Monthly Bulletin: March 2020

If you have any queries or would like to subscribe to the FinTech Monthly Bulletin, please contact Angus Allen

1. General

1.1 The European Commission (Commission) has published a banking and finance newsletter, which provides further information on the proposed EU digital finance strategy. The strategy aims to ensure the EU financial services regulatory framework promotes digital finance, while proportionately regulating the risks arising from digitalisation and new technologies. In the newsletter, the Commission sets out that it intends to launch a public consultation on the strategy from March to May 2020, and that it will present the strategy in Q3 2020. (26 February 2020)

1.2 The Commission has published a communication on shaping Europe’s digital future. The communication sets out the EU’s digital priorities over the next five years, which include:

• ensuring that technology works for the people;
• enabling a fair and competitive digital economy; and
• creating an open, democratic and sustainable society.

The communication includes a White Paper on artificial intelligence (AI) (see paragraph 2.3 below) and a European strategy for data (see paragraph 6.3 below). In addition, the Commission announced that it will present later this year a Digital Services Act and a European Democracy Action Plan, propose a review of the eIDAS regulation and strengthen cybersecurity by developing a Joint Cyber Unit. (19 February 2020)

1.3 Sir Jon Cunliffe, Deputy Governor of Financial Stability at the UK Bank of England (BoE), has spoken about the governance of financial globalisation, progress made to date and remaining challenges. In his speech, Cunliffe discussed, among other things: the work of the Financial Stability Board on cryptoassets; the challenges created by the use of AI; and cross-border financial activity now that the UK has left the EU. (11 February 2020)

2. AI and Automation

2.1 The European Data Protection Supervisor (EDPS) has published a blog post on the challenges and opportunities raised by AI and facial recognition. The blog refers to the EDPS’s recent workshop on this topic, where participants discussed: the applicability of the General Data Protection Regulation (GDPR) to AI data processing; scientific research and innovation in this area; and AI and facial recognition technologies. Participants generally agreed that, because AI can have a significant effect on individuals and society as a whole, it is important to define the boundaries of particular extremely high-risk scenarios where the rights and freedoms of individuals may be compromised. The EDPS will draw on discussions from the workshop to contribute to the EU public consultation on the White Paper on AI (see paragraph 2.3 below) and the EDPS Strategy 2020-2024. (21 February 2020)

2.2 The European Parliament Committee on Civil Liberties, Justice and Home Affairs has held a hearing on the use of AI, including facial recognition technologies, in criminal law and its use by the police and judicial authorities. The hearing examined the benefits and challenges of AI in criminal law, predictive policing, facial recognition and ethical considerations. (20 February 2020)

2.3 The Commission has published a White Paper on its approach to AI. The White Paper sets out the Commission’s ambitions for the EU to become a world leader in AI systems that are safe and trustworthy.

The Commission proposes new rules to address high-risk AI systems in areas such as health, policing and transport. Such AI systems should be transparent, traceable and guarantee human oversight. Unbiased data is needed to train high-risk systems to perform properly and to ensure respect of fundamental rights, in particular non-discrimination. The Commission plans to launch a debate on the circumstances in which the use of facial recognition technology may be justified.

For lower risk AI applications, the Commission envisages a voluntary labelling scheme where higher standards are applied.

The consultation closes on 19 May 2020. For more information, please refer to our article published here. (19 February 2020)

2.4 The UK Information Commissioner’s Office (ICO) has published draft guidance on the AI auditing framework. The draft guidance includes: advice on understanding data protection law in relation to AI; recommendations on mitigating the risks AI creates for individuals; and a methodology for auditing AI applications and ensuring fair data processing. The consultation on the draft guidance closes on 1 April 2020. (19 February 2020)

2.5 The UK Financial Conduct Authority (FCA) has published a blog post announcing a year-long collaboration with the Alan Turing Institute focussed on AI transparency. The blog post sets out the reasons for creating a project on AI transparency and outlines an initial framework for considering transparency needs in the context of machine learning in financial markets. For more information, please refer to our article published here. (19 February 2020)

2.6 The European Parliament has approved a resolution calling for fair and safe rights for consumers in relation to AI and automated decision-making (ADM) technologies. The European Parliament welcomed the potential that ADM has to produce improved and innovative services to consumers. However, the European Parliament also recognises that consumers should be properly informed about how ADM functions and how a system’s decisions can be reviewed and corrected. The European Parliament called for a risk-assessment scheme for AI and ADM and for a common EU approach to these processes. The resolution will be forwarded to the EU Council (Council) and the Commission. (12 February 2020)

3. Cloud Computing

The European Insurance and Occupational Pensions Authority (EIOPA) has published guidelines on outsourcing to cloud service providers in relation to analysis done in response to the Commission’s FinTech Action Plan. The purpose of the guidelines is to provide clarification and transparency to market participants avoiding potential regulatory arbitrages and to establish supervisory convergence on the expectations and processes applicable to cloud outsourcing. (6 February 2020)

4. Cryptoassets

4.1 Paul Chan, the Hong Kong Finance Minister, has announced in his annual budget report that the Hong Kong Government will consider incorporating virtual asset service providers into Hong Kong’s anti-money laundering and counter-terrorist financing regulatory framework. The Hong Kong Government plans to launch a public consultation on such proposals this year. (26 February 2020)

4.2 The Financial Action Taskforce (FATF) has published the outcomes of its second plenary under the Chinese Presidency held on 19-21 February 2020. At this plenary, the FATF identified two strategic priorities: understanding and leveraging the use of digital identity and mitigating the money laundering and terrorist financing risks of virtual assets. In order to address these priorities, the FATF has: adopted a new guidance paper on digital identity designed to create a clearer understanding of how digital identity systems work; and announced that it will report to the G20 on its evaluation of money laundering/terrorist financing risks in connection with stablecoins in July 2020. (21 February 2020)

4.3 The BoE has published a staff working paper on blockchain structure and cryptocurrency prices. In this paper, the BoE sets out a model for cryptocurrency price formation that endogenises the financial market for cryptocurrency and the market for blockchain space and explores the interaction between them. The paper concludes, among other things: that the pricing curve for cryptocurrencies can be locally downward-sloping as higher speculative demand can crowd out money usage; and that the willingness to use cryptocurrency as money is inversely related to its price. (14 February 2020)

4.4 The International Organisation of Securities Commissions (IOSCO) has published a final report on issues, risks and regulatory considerations relating to cryptoasset trading platforms (CTPs), following an IOSCO consultation in May 2019. The report discusses the challenges arising from secondary trading of cryptoassets on CTPs and sets out key considerations, such as market integrity and price discovery, to assist regulatory authorities when assessing CTPs against the backdrop of their regulatory frameworks. (12 February 2020)

4.5 Governor Lael Brainard, a member of the US Federal Reserve’s Board of Governors, has spoken about issues to consider in relation to the digitalisation of payments and currency. Brainard discussed the opportunities presented by the digitalisation of payments, while acknowledging risks such as the difficulty regulating digital currencies. Brainard recommended that the public sector should, among other things: engage with other stakeholders so that it can ensure the payments infrastructure is safe and efficient; evaluate whether regulatory boundaries need to be amended; and consider if a central bank digital currency would lead to key benefits on the whole. (5 February 2020)

5. Cybersecurity

5.1 The European High Representative for Foreign Affairs and Security Policy, on behalf of the EU, has called on the international community to strengthen its collaboration in order to create an international, open and safe cyberspace where responsible behaviour is encouraged. The declaration outlines the EU and its Member States’ concern for cyberattacks such as the one suffered by Georgia in October 2019, stating that it demonstrated disregard for security and stability in cyberspace. (21 February 2020)

5.2 The European Systemic Risk Board (ESRB) has published a report on cyber incidents which identifies cyber risk as a source of systemic risk to the financial system with the potential to threaten financial stability. The report also sets out how and why a cyber incident could develop to seriously detriment financial systems. The ESRB will look to use its institutional composition and network to analyse the costs and benefits of different policy options designed to mitigate systemic cyber risk. (19 February 2020)

5.3 The UK National Cyber Security Centre (NCSC) has announced that the Northern Ireland Cyber Security Centre has opened and will work with the NCSC to ensure the public and organisations will have access to the correct advice, guidance and support. The new Centre will create a centralised communications role for cyber security in Northern Ireland and assist in delivering Northern Ireland’s cyber security strategic framework for action. (18 February 2020)

5.4 The NCSC has published an advisory on Trickbot, a banking trojan designed to commit identity fraud by accessing online accounts in order to retrieve personally identifiable information. As well as explaining what Trickbot is, the advisory sets out the impact of Trickbot and advice on dealing with a potential Trickbot attack. To prevent a possible Trickbot infection, the advisory recommends, among other things: ensuring data is stored in an offline backup; using the latest supported versions of operating systems and software; and keeping antivirus software up to date. (12 February 2020)

5.5 The NCSC has announced a new research call through its Research Institute for Sociotechnical Cyber Security, aimed at helping the NCSC’s Sociotechnical Security Group (StSG) further understand the ecosystem and markets within which cybersecurity operates. This research will be used to inform StSG as to which cyber security interventions will be most effective and what is not working. The call has four priority themes: economics and market design; incentives and interventions; data modelling; and the effect of cyber insurance on secure behaviours. The deadline for submissions of the full research proposal is 6 March 2020. (4 February 2020)

5.6 The European Union Agency for Cybersecurity (ENISA) has published a report investigating five different areas with existing frameworks or standards (such as Internet of Things and cloud infrastructure and services) that may potentially be developed into EU candidate cybersecurity certification schemes. The report analyses the current standards in place, identifies gaps and recommends how to improve and adapt existing standards into new candidate EU cybersecurity schemes. The ENISA has also published a report containing a methodology and recommendations in support of cybersecurity certification that can be used as a guideline for new certification schemes or standards authors. (4 February 2020)

5.7 See also paragraphs 8.1 and 8.3.

6. Data

6.1 The ICO has published guidance for organisations looking to develop GDPR codes of conduct or certification schemes. The codes of conduct and schemes, which can now be submitted to the ICO for approval, aim to help data controllers and processors demonstrate compliance with the GDPR. Organisations will be able to sign up to an ICO approved code of conduct to show they are acting in accordance with data protection legislation. In relation to certification schemes, organisations will be able to apply for their personal data processing to be certified under the relevant scheme once they have submitted scheme criteria to the ICO for approval. (28 February 2020)

6.2 The European Economic Area (EEA) Supervisory Authorities (SAs) and the EDPS have met for their eighteenth plenary session. In this plenary, the European Data Protection Board (EDPB) adopted: draft guidelines aimed at clarifying the application of GDPR articles dealing with transfers of personal data from EEA public authorities or bodies to bodies in third countries or to international organisations; and a statement on the privacy implications of mergers. The EDPB, along with the individual SAs, also contributed to the assessment and review of the GDPR since its implementation. (20 February 2020)

6.3 The Commission has published a paper on the European strategy for data. The paper outlines: the importance of data to the Commission’s ambitions for a digital transformation across the EU; plans to create a single market for data where data can flow within the EU and across sectors; and current barriers to realising the Commission’s vision. The paper also sets out a strategy for policy measures to be implemented and investments to be made in order to strengthen the data economy over the next five years. (19 February 2020)

6.4 The People’s Bank of China (PBOC) has published the personal financial information technical specification, which contains guidance on handling personal information in the finance industry. The specification sets out protection requirements for personal financial information throughout the data lifecycle, including collection, transmission, storage, usage, deletion and destruction. (13 February 2020)

6.5 The UK Government has published an initial response to the consultation on the Online Harms White Paper, a Paper which outlines the Government’s plans for a world-leading set of measures designed to keep UK users safe online. The initial response provides a detailed breakdown of the responses to the 18 consultation questions and an overview of the feedback received from wider engagement with stakeholders. The UK Government has also announced that it is minded to legislate to appoint Ofcom, the UK’s communications watchdog, as the online harms regulator. A full consultation on the Online Harms White Paper, which will include details on the possible enforcement powers Ofcom may have, will be published in Spring 2020. (12 February 2020)

6.6 The PRC Office of the Central Cyberspace Affairs Commission has issued a circular that aims to provide guidance on the use of personal data during the novel coronavirus (COVID-19) outbreak. According to the circular, no party except institutions authorised by the relevant health authorities is allowed to collect and use personal data without the consent of data subjects, even for the purpose of epidemic control and disease treatment. The circular also emphasised that the collection of personal information for joint prevention and control of the epidemic should follow relevant rules and should, in principle, be limited to specified groups such as confirmed and suspected cases of COVID-19. (9 February 2020)

6.7 The FCA, the ICO and the UK Financial Services Compensation Scheme (FSCS) have published a joint statement warning FCA-authorised firms and insolvency practitioners (IPs) to be responsible when handling personal data. The statement points out that some of these firms and IPs have unlawfully attempted to share clients’ personal data with claims management companies (CMCs) at the point before or after a firm has gone into administration. By passing on this personal data, companies may be failing to meet their data protection obligations set out in statute and the GDPR. CMCs may also be in breach of requirements they have under the Privacy and Electronic Communications Regulations 2003 and the FCA Handbook. The FCA or ICO, as appropriate, will take suitable action in response to these breaches and/or failures to comply with relevant data protection legislation. (7 February 2020)

6.8 The United States and Singapore have issued a joint statement on financial services data connectivity. The statement acknowledges the benefits and risks of aggregating, storing, processing and transmitting data across borders. It also sets out the data connectivity objectives that are shared by the United States and Singapore. Both countries intend to encourage data connectivity and to implement rules in their bilateral and multilateral economic relationships to fulfil specified goals (such as ensuring financial service suppliers can electronically transfer data across borders). (5 February 2020)

6.9 The UK Centre for Data Ethics and Innovation (CDEI) has published its first recommendations to the UK Government on social media targeting. The review acknowledges the benefits of online targeting and sets out associated risks, such as the lack of transparency and accountability under which online targeting systems operate. The review recommends: that the new proposed regulation to manage online harms should ensure companies using online targeting systems are held to higher standards of accountability; the operation of online targeting should be more transparent; and policy should seek to provide people with more information and control over the manner in which they are targeted. (4 February 2020)

6.10 See also paragraph 4.2.

7. Distributed Ledger Technology, Blockchain and Smart Contracts

7.1 The International Swaps and Derivatives Association (ISDA) has published legal guidelines for smart derivatives contracts, which aim to assist technology developers, lawyers and other key stakeholders in the development of smart derivatives contracts in the equity derivatives market. The paper: sets out equity derivatives transactions and the different product types; describes how equity derivatives transactions are documented under the 2002 and 2011 ISDA Equity Definitions; and analyses how smart derivatives contracts may be constructed and delivered within the framework established by the 2011 ISDA Equity Definitions. (10 February 2020)

7.2 The European Central Bank and the Bank of Japan have published a paper on Project Stella phase four, a joint research project analysing through conceptual studies and practical experimentation how confidentiality and auditability could be balanced in a distributed ledger environment. Specifically, the report evaluates: the way in which privacy-enhancing technologies and techniques would guarantee confidentiality; and arrangements that facilitate effective auditing for transactions in a financial market infrastructure based on distributed ledger technologies. The report outlines points to be further considered when exploring how to balance confidentiality and the auditability of transactions for practical considerations. (February 2020)

8. InsurTech

8.1 The EIOPA has published its 2020 supervisory convergence plan for the insurance industry. The plan identifies largely the same priorities for 2020 that it did for 2019, adding supervisory technology (SupTech), pensions issues and cyber underwriting as new priority areas. The plan also includes new priorities relating to the EIOPA’s advice to the Commission on the Solvency II review. The priorities are organised under the three building blocks of supervisory convergence, which include: the practical implementation of the key characteristics of the common supervisory culture and further development of supervisory tools; risks to the internal market and to the level playing field potentially leading to supervisory arbitrage; and supervision of emerging risks. (12 February 2020)

8.2 The EIOPA has published its strategy for SupTech for the insurance and occupational pensions sectors. The EIOPA aims to promote the use of technology to deliver innovative and efficient supervisory solutions by: implementing a platform for ongoing exchange of knowledge and experience to promote a culture of innovation and initiative between supervisors; and organising and endorsing the analysis of potential development tools and implementing them following a positive decision in the analysis phase. (11 February 2020)

8.3 The EIOPA has published its strategy on cyber underwriting, describing the work done by the EIOPA to date and future proposals. In order to build a resilient cyber insurance market, the EIOPA has identified that it is necessary to have, among other things: appropriate cyber underwriting and risk management practices; appropriate assessment and mitigation tools to address potential risks; and an adequate level and quality of data on cyber incidents at the European level. The EIOPA will now take action to address these conditions as part of its own supervisory and regulatory priorities and in its capacity as a facilitator and catalyst to delivering cyber insurance advice. (11 February 2020)

9. Payments and Open Banking

9.1 The Council has adopted new rules for the exchange of VAT payment data, aimed at facilitating the identification of tax fraud in cross-border e-commerce transactions. The set of rules includes amendments to the VAT directive introducing requirements for payment service providers to keep records of cross-border e-commerce payments and a regulation on administrative cooperation in the VAT sector. The new measures will come into effect on 1 January 2024. (18 February 2020)

9.2 The Australian Competition & Consumer Commission, Australia’s competition watchdog, has finalised the Competition and Consumer (Consumer Data Right) Rules which will introduce open banking in the jurisdiction. As well as requiring the four major Australian banks to share product reference data (such as interest rates and mortgages) with accredited data recipients, the Rules also provide legislative force to consumer data sharing obligations, which become mandatory from 1 July 2020. The rules came into force on 6 February 2020. (5 February 2020)

About Simmons & Simmons’ FinTech team

The FinTech Monthly Bulletin is prepared by the FinTech team of Simmons & Simmons.

Since its emergence into the mainstream, the FinTech sector has captured the interest and imagination of entrepreneurs, investors, governments and regulators, not to mention financial institutions and asset managers. We understand the opportunities and challenges that lie at the heart of the FinTech revolution and advise clients navigating the novel legal and regulatory issues that frequently arise.

Our market leading FinTech team combines specialist expertise across practices and offices with insights resulting from a focus on the TMT, Financial Institutions, and Asset Management and Investment Funds sectors.

Our clients range from early stage start-ups to some of the world’s largest financial institutions and technology providers. We also advise clients partnering with or investing in FinTech firms as well as financial institutions and asset managers developing their own FinTech solutions.

We support clients across a broad range of FinTech matters including crowdfunding, payments, cryptoassets, distributed ledger technology, InsurTech and RegTech, and we are interested in all areas of financial technology innovation.

If you would like to find out more about our FinTech team or require advice on a FinTech matter, please contact one of our lawyers at this link or your usual Simmons & Simmons contact.